[PATCH] Fix for bug 12164
Ralph Böhme
slow at samba.org
Wed Nov 28 18:23:12 UTC 2018
On Wed, Nov 28, 2018 at 03:16:20PM +0100, Ralph Böhme wrote:
>On Wed, Nov 28, 2018 at 02:17:16PM +0100, Stefan Metzmacher wrote:
>>Am 28.11.18 um 12:51 schrieb Ralph Böhme via samba-technical:
>>>Hi!
>>>
>>>Attached is a fix for bug 12164.
>>>
>>>Fixes lookupnames in winbindd for names in the "NT Authority" domain.
>>
>>find_lookup_domain_from_sid() already has something similar
>>using sid_check_is_wellknown_domain() from source3/lib/util_wellknown.c.
>>Maybe we want to add a new function there for now.
>>
>>It both cases I think it should be routed to the "BUILTIN" domain
>>instead of the passdb domain.
>>
>>The same applies to "NT Pseudo Domain", "Internet$" and
>>"Mandatory Label". Maybe we should have a helper function
>>that checks predefined_domains[] in libcli/security/util_sid.c
>>
>>Or we remove source3/lib/util_wellknown.c and use the more up to
>>date table from libcli/security/util_sid.c, which matches the
>>[MS-LSAT] 3.1.1.1.1 Predefined Translation Database and Corresponding View.
>
>thanks, I'll check!
updates patchset attached. Passes local make test TESTS=samba.blackbox.wbinfo.
CI: https://gitlab.com/samba-team/devel/samba/pipelines/38253680
Please review&push if happy.
-slow
--
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46
-------------- next part --------------
From c539bad86694f3138ccb69f77b9796f916c7d8b4 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Tue, 27 Nov 2018 20:32:09 +0100
Subject: [PATCH 1/5] selftest: test wbinfo -n and --gid-info with "NT
Authority"
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12164
Signed-off-by: Ralph Boehme <slow at samba.org>
---
nsswitch/tests/test_wbinfo.sh | 18 ++++++++++++++++++
selftest/knownfail.d/samba.blackbox.wbinfo | 2 ++
2 files changed, 20 insertions(+)
create mode 100644 selftest/knownfail.d/samba.blackbox.wbinfo
diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
index 67660e50fc8..2ac83828a0e 100755
--- a/nsswitch/tests/test_wbinfo.sh
+++ b/nsswitch/tests/test_wbinfo.sh
@@ -125,6 +125,24 @@ else
echo "success: wbinfo -n check for sane mapping"
fi
+echo "test: wbinfo -n NT Authority/Authenticated Users"
+$wbinfo -n "NT Authority/Authenticated Users"
+if [ $? -ne 0 ] ; then
+ echo "failure: wbinfo -n NT Authority/Authenticated Users"
+ failed=`expr $failed + 1`
+else
+ echo "success: wbinfo -n NT Authority/Authenticated Users"
+fi
+
+echo "test: wbinfo --group-info NT Authority/Authenticated Users"
+$wbinfo --group-info "NT Authority/Authenticated Users"
+if [ $? -ne 0 ] ; then
+ echo "failure: wbinfo --group-info NT Authority/Authenticated Users"
+ failed=`expr $failed + 1`
+else
+ echo "success: wbinfo --group-info NT Authority/Authenticated Users"
+fi
+
testit "wbinfo -U against $TARGET" $wbinfo -U 30000 || failed=`expr $failed + 1`
echo "test: wbinfo -U check for sane mapping"
diff --git a/selftest/knownfail.d/samba.blackbox.wbinfo b/selftest/knownfail.d/samba.blackbox.wbinfo
new file mode 100644
index 00000000000..e294c2d3c15
--- /dev/null
+++ b/selftest/knownfail.d/samba.blackbox.wbinfo
@@ -0,0 +1,2 @@
+^samba.blackbox.wbinfo\(.*\).wbinfo -n NT Authority/Authenticated Users\(.*\)
+^samba.blackbox.wbinfo\(.*\).wbinfo --group-info NT Authority/Authenticated Users\(.*\)
--
2.17.2
From d19bae4377d2a5912a12d4d6ed8b7eb54319fb4c Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Wed, 28 Nov 2018 17:19:39 +0100
Subject: [PATCH 2/5] libcli/security: add
dom_sid_lookup_is_predefined_domain()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12164
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
---
libcli/security/dom_sid.h | 1 +
libcli/security/util_sid.c | 33 +++++++++++++++++++++++++++++++++
2 files changed, 34 insertions(+)
diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h
index 1effdbc2f6c..abaf305f96a 100644
--- a/libcli/security/dom_sid.h
+++ b/libcli/security/dom_sid.h
@@ -74,6 +74,7 @@ NTSTATUS dom_sid_lookup_predefined_sid(const struct dom_sid *sid,
enum lsa_SidType *type,
const struct dom_sid **authority_sid,
const char **authority_name);
+bool dom_sid_lookup_is_predefined_domain(const char *domain);
int dom_sid_compare_auth(const struct dom_sid *sid1,
const struct dom_sid *sid2);
diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
index af04dff1325..531d3809565 100644
--- a/libcli/security/util_sid.c
+++ b/libcli/security/util_sid.c
@@ -879,6 +879,39 @@ NTSTATUS dom_sid_lookup_predefined_name(const char *name,
return NT_STATUS_NONE_MAPPED;
}
+bool dom_sid_lookup_is_predefined_domain(const char *domain)
+{
+ size_t di;
+ bool match;
+
+ if (domain == NULL) {
+ domain = "";
+ }
+
+ match = strequal(domain, "");
+ if (match) {
+ /*
+ * Strange, but that's what W2012R2 does.
+ */
+ domain = "BUILTIN";
+ }
+
+ for (di = 0; di < ARRAY_SIZE(predefined_domains); di++) {
+ const struct predefined_domain_mapping *d =
+ &predefined_domains[di];
+ int cmp;
+
+ cmp = strcasecmp(d->domain, domain);
+ if (cmp != 0) {
+ continue;
+ }
+
+ return true;
+ }
+
+ return false;
+}
+
NTSTATUS dom_sid_lookup_predefined_sid(const struct dom_sid *sid,
const char **name,
enum lsa_SidType *type,
--
2.17.2
From 44afee51bbcd8d59eb0dcbfef2148ffbaf2d1186 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Tue, 27 Nov 2018 17:32:09 +0100
Subject: [PATCH 3/5] winbindd: add some braces
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12164
Signed-off-by: Ralph Boehme <slow at samba.org>
---
source3/winbindd/winbindd_util.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 9bc25d98c4e..090a90574ce 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1527,7 +1527,9 @@ struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
if (strequal(domain_name, "BUILTIN") ||
strequal(domain_name, get_global_sam_name()))
+ {
return find_domain_from_name_noinit(domain_name);
+ }
if (IS_DC) {
struct winbindd_domain *domain = NULL;
--
2.17.2
From 075d9ea998979835060037ee134aceb396d534f9 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Wed, 28 Nov 2018 17:20:41 +0100
Subject: [PATCH 4/5] winbindd: fix predefined domains routing in
find_lookup_domain_from_sid()
Route predefined domains through the BUILTIN domain child, not passdb.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12164
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
---
source3/winbindd/winbindd_util.c | 27 ++++++++-------------------
1 file changed, 8 insertions(+), 19 deletions(-)
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 090a90574ce..67aca44b858 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -108,15 +108,6 @@ static bool is_internal_domain(const struct dom_sid *sid)
return (sid_check_is_our_sam(sid) || sid_check_is_builtin(sid));
}
-static bool is_in_internal_domain(const struct dom_sid *sid)
-{
- if (sid == NULL)
- return False;
-
- return (sid_check_is_in_our_sam(sid) || sid_check_is_in_builtin(sid));
-}
-
-
/* Add a trusted domain to our list of domains.
If the domain already exists in the list,
return it and don't re-initialize. */
@@ -1475,20 +1466,18 @@ struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
sid_check_is_unix_groups(sid) ||
sid_check_is_in_unix_users(sid) ||
sid_check_is_unix_users(sid) ||
- sid_check_is_wellknown_domain(sid, NULL) ||
- sid_check_is_in_wellknown_domain(sid) )
+ sid_check_is_our_sam(sid) ||
+ sid_check_is_in_our_sam(sid) )
{
return find_domain_from_sid(get_global_sam_sid());
}
- /*
- * On member servers the internal domains are different: These are part
- * of the local SAM.
- */
-
- if (is_internal_domain(sid) || is_in_internal_domain(sid)) {
- DEBUG(10, ("calling find_domain_from_sid\n"));
- return find_domain_from_sid(sid);
+ if ( sid_check_is_builtin(sid) ||
+ sid_check_is_in_builtin(sid) ||
+ sid_check_is_wellknown_domain(sid, NULL) ||
+ sid_check_is_in_wellknown_domain(sid) )
+ {
+ return find_domain_from_sid(&global_sid_Builtin);
}
if (IS_DC) {
--
2.17.2
From 9e7c5fe766d2cf9cc665f0792c04739e01a5ab9d Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Wed, 28 Nov 2018 15:39:21 +0100
Subject: [PATCH 5/5] winbindd: route predefined domains through the BUILTIN
domain child
Without this eg "NT Authority" didn't work:
$ bin/wbinfo -n "NT Authority/Authenticated Users"
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name NT Authority/Authenticated Users
$ bin/wbinfo --group-info="NT Authority/Authenticated Users"
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group NT Authority/Authenticated Users
With the patch:
$ bin/wbinfo -n "NT Authority/Authenticated Users"
S-1-5-11 SID_WKN_GROUP (5)
$ bin/wbinfo --group-info="NT Authority/Authenticated Users"
NT AUTHORITY\authenticated users:x:10002:
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12164
Signed-off-by: Ralph Boehme <slow at samba.org>
---
selftest/knownfail.d/samba.blackbox.wbinfo | 2 --
source3/winbindd/winbindd_util.c | 7 +++++++
2 files changed, 7 insertions(+), 2 deletions(-)
delete mode 100644 selftest/knownfail.d/samba.blackbox.wbinfo
diff --git a/selftest/knownfail.d/samba.blackbox.wbinfo b/selftest/knownfail.d/samba.blackbox.wbinfo
deleted file mode 100644
index e294c2d3c15..00000000000
--- a/selftest/knownfail.d/samba.blackbox.wbinfo
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba.blackbox.wbinfo\(.*\).wbinfo -n NT Authority/Authenticated Users\(.*\)
-^samba.blackbox.wbinfo\(.*\).wbinfo --group-info NT Authority/Authenticated Users\(.*\)
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 67aca44b858..9321f6027d2 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1504,6 +1504,8 @@ struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
{
+ bool predefined;
+
if ( strequal(domain_name, unix_users_domain_name() ) ||
strequal(domain_name, unix_groups_domain_name() ) )
{
@@ -1520,6 +1522,11 @@ struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
return find_domain_from_name_noinit(domain_name);
}
+ predefined = dom_sid_lookup_is_predefined_domain(domain_name);
+ if (predefined) {
+ return find_domain_from_name_noinit(builtin_domain_name());
+ }
+
if (IS_DC) {
struct winbindd_domain *domain = NULL;
--
2.17.2
More information about the samba-technical
mailing list